Compromising online accounts by cracking voicemail systems Martin - - PowerPoint PPT Presentation
Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com 8 2 1 6 C P C d n a e m r r c t l e d s a d m a b A A a L g n i y a l p e l i h w d
Martin Vigo
@martin_vigo | martinvigo.com
Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com
C a p t u r e d w h i l e p l a y i n g “ L a A b a d í a d e l c r í m e n ”
Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm
“You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard
“Quickly Enter the following string: 123456789876543213579246864297314741933669944885522775395 96372582838491817161511026203040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
A Tutorial of Aspen Voice Mailbox Systems, by Slycath
“Defaults For ASPEN Are: (E.G. Box is 888) …. Use Normal Hacking Techniques:
1111 | \|/ 9999 1234 4321”
Hacking Answering Machines 1990 by Predat0r
“There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
checklist time!
Default PINs
by entering multiple PINs at once
message is an attack vector
Default PINs Common PINs
by entering multiple PINs at once
message is an attack vector
2012 Research study by Data Genetics https://www.datagenetics.com/blog/september32012
Default PINs Common PINs Bruteforceable PINs
by entering multiple PINs at once
message is an attack vector
Default PINs Common PINs Bruteforceable PINs Efficient bruteforcing by entering multiple PINs at once
message is an attack vector
bruteforcing voicemails fast, cheap, easy, efficiently and undetected
4 digit PIN for $5
default PIN for $13
major carriers
PINs, common PINs, patterns, etc.
Not Disturb
AT&T: 408-307-5049 Verizon: 301-802-6245 T-Mobile: 805-637-7243 Sprint: 513-225-6245
Vodafone: XXX-55-XXXXXXXX Telekom: XXX-13-XXXXXXXX O2: XXX-33-XXXXXXXX
4 digit PIN for $5
default PIN for $13
common PINs, patterns, etc.
Resets to a 6 digit PIN and sends it over SMS
Blocks the Caller ID from accessing mailbox
Connects directly to customer help-line
Resets to a 6 digit PIN and sends it over SMS
Blocks the Caller ID from accessing mailbox
Connects directly to customer help-line
4 digit PIN for $5
default PIN for $13
patterns, etc.
bruteforcing voicemail systems with voicemailcracker.py
so what?
compromising WhatsApp
Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
Default PINs Common PINs Bruteforceable PINs Efficient bruteforcing by entering multiple PINs at once The greeting message is an attack vector
compromising Paypal
small subset
Git repo: github.com/martinvigo/voicemailautomator
if (carriersSetDefaultPins == TRUE) if (testingForDefaultPinsCheapFastUndetectedAutomatable == TRUE) if (updatingGreetingMessageAutomatable == TRUE) if (retrievingNewestMessageAutomatable == TRUE) if (speechToTextTranscription == TRUE) if (accountCompromiseIsAutomatable == TRUE) print “Yes, I should care”
messages
services
prompt from them
actual phone or online
required
Automated phone calls are a common solution for password reset, 2FA, verification and other services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems
Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification | Consent
Military grade crypto end to end Lots of cyber
@martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo